A year on from the cyber attack on Marks and Spencer, the industry has absorbed the scale of the event. How those losses actually unfold, however, remains less well understood.
The headline figures drew attention, particularly the gap between reported losses and insured limits. For Ed Ventham (pictured), head of broking at Assured, that gap reflects a more basic issue. “The loss isn’t just about the outage period,” he said. “It’s how long you operate in a degraded state, as the most material losses often occur during prolonged partial recovery rather than full outage.”
Cyber business interruption is still widely framed around downtime. Ventham argues that this lens obscures how losses build in practice and that businesses often dismiss the risk on the basis that they are unlikely to be offline for extended periods. “Don’t think of it like that. Think of it as like a slow attrition to what you are going to lose over time.”
That attrition is not measured in revenue alone. “Revenue loss alone is a misleading measure of exposure and it’s not what’s paid out,” he said. “The metrics are actually lost earnings after variable costs together with continuing operating expense.”
Those costs persist even as income falls, and often increase during recovery, as businesses bring in additional staff or infrastructure to keep operating.
The persistence of revenue-based assumptions points to a deeper modelling problem. Many organisations still anchor their exposure to top-line loss, rather than how interruption is actually calculated.
The gap becomes most visible in large events. In the case of Marks and Spencer, insured limits were significantly below reported losses. “The reported losses indicate a significant gap between modelled exposure and realised impact,” he said.
Even detailed financial data does not fully capture the effect. “There’s going to be so many costs in the event of an incident where you can’t access certain parts of your business, which would then completely rack up,” Ventham said.
Recent incidents have also clarified where business interruption risk originates. Losses are increasingly driven by dependencies rather than direct attacks.
“The supply chain is being peppered recently,” Ventham said. He points to manufacturers whose revenues depend heavily on a single customer. When that customer is disrupted, the financial impact flows upstream. “Thinking about that business interruption when it’s not you having the attack but it’s your own customer supply chain,” he said, “these events have woken the world up to it.”
A few insurers have responded by introducing customer-dependent cover, often at speed. The development reflects demand but raises questions about how such risks can be priced. “It is extremely difficult to model and aggregate accurately,” Ventham said. “How on earth do you know how many if someone has hundreds of customers?”
Ventham does not see a fundamental flaw in coverage design. The more persistent issue is the level of protection being purchased.
“I don’t think they’re holding incorrect cyber cover,” he said. “I just don’t think they’re holding enough.”
The gap is most acute in sectors with physical goods and complex supply chains, where interruption effects escalate quickly. Yet the urgency seen after high-profile incidents has already begun to ease, with demand for higher limits starting to soften. “We saw that in buying behaviour,” Ventham said. “It’s tailed off a bit now.”
Even where organisations respond well operationally, many have yet to quantify their financial exposure. “Neither had quantified what their true quantum of BI was,” Ventham said of recent high-profile cases. “That needs to be the next move.”
The task is not straightforward, requiring a detailed understanding of cost structures and how disruption affects earnings over time. But the direction is clear. “Revenue alone tells you very little about actual BI exposure, start focusing on what your costs would be in the event you lose part or all of your business operation,” he said. “That’s the bit that’s actually going to matter.”
Buying behaviour may have softened, but the underlying exposure has not. A year on from the Marks and Spencer incident, the gap it exposed between insured limits and real business interruption losses remains largely unresolved and, in many cases, still not properly measured.
